From Singapore: The open source software ecosystem has long operated on a polite fiction: that the infrastructure underpinning billions of dollars in commercial software development is somehow free. That fiction is now colliding with hard arithmetic, and the bill is coming due for the world's largest technology companies.
At the Linux Foundation Member Summit in Napa, California last week, Brian Fox, chief technology officer of Sonatype and a key steward of the Apache Maven build tool ecosystem, presented data that reframes what many in the technology industry assumed was a solved problem. Major open source package repositories, he revealed, handled 10 trillion downloads last year. That is roughly double Google's total annual search queries, processed by organisations running on donations, grants, and the goodwill of a handful of corporate sponsors.
The scale of the imbalance is striking. Fox shared data showing 82 percent of Maven Central's consumption comes from less than 1 percent of worldwide IP addresses, with 80 percent of traffic attributable to the big three cloud hyperscalers. In practical terms, a tiny cohort of corporate actors is consuming infrastructure that the broader developer community collectively funds and maintains.
A Tragedy of the Commons
Fox's diagnosis is blunt. He described the situation as a "tragedy of the commons," where the assumption of "free and infinite" resources leads to structural waste amplified by CI/CD pipelines, security scanners, and AI-driven code generation. The problem is not, by most accounts, deliberate exploitation. In one case, a department store's team of 60 developers generated more traffic than global cable modem users worldwide, due to misconfigured React Native builds bypassing their internal repository manager. Organisations were often surprised and apologetic when throttling measures were applied, having simply never noticed the volume of automated downloads their pipelines were generating.
Fox detailed extreme examples, such as large organisations downloading the same 10,000 components a million times each month. "That's ridiculous," he said. The challenge of attribution compounds the problem: as Fox noted, "IP addresses don't represent people. They're not even organisations anymore. They're ephemeral. They're kind of like weather," pointing to complications from containers, NAT proxies, and cloud egress IPs.
The response from the open source community has been methodical. In September 2025, the repositories issued an open letter via the Open Source Security Foundation (OpenSSF) calling for "tiered access models" to keep downloads free for hobbyists and individual open source contributors while mandating contributions from high-volume users. Fox has been explicit that voluntary gestures will not be sufficient: contributions from large commercial consumers must become mandatory, not optional.
The Security Dimension
Beyond the economics, there is a security argument that deserves serious weight. Open source foundations cannot keep up with the demand for fast dependency resolution, signed packages, zero downtime, and rapid response to supply chain attacks, let alone looming regulatory requirements such as the EU's Cyber Resilience Act. The repositories that serve as the backbone of modern software development are, in effect, being asked to deliver commercial-grade reliability and security on charitable funding.
Every modern application, whether written in Java, JavaScript, Python, Rust, or PHP, depends on public package registries like Maven Central, PyPI, and crates.io to retrieve, share, and validate dependencies. These registries have become foundational digital infrastructure, not just for open source, but for the global software supply chain. Australia's own technology sector, heavily reliant on these same repositories for everything from fintech applications to government digital services, sits directly in the path of any disruption.
The Case for Paying
From a fiscal responsibility standpoint, the case for tiered pricing is straightforward. A small number of organisations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that generate demand and extract economic value, consume these services without contributing to their sustainability. This is not a model any serious business would accept in any other context. Cloud computing, internet bandwidth, and enterprise software all operate on the principle that usage creates cost and that cost must be recovered.
There is, of course, a legitimate concern from the open source community's progressive wing: that any move toward monetisation risks fracturing the collaborative ethos that made these repositories valuable in the first place. Individual developers, open source maintainers, and small startups depend on free access as a foundational condition of participation. Any pricing model that overreaches risks chilling innovation at the margins, precisely where much of the most creative work happens. The Alpha-Omega project, a Linux Foundation initiative focused on open source supply chain security, has separately raised concerns that security funding gaps are creating systemic vulnerabilities that corporate free-riders are doing nothing to address.
The stewards have suggested that tiered access models are "not radical ideas" but rather "practical, commonsense measures already used in other shared systems, such as internet bandwidth and cloud computing." That framing seems right. The proposed approach preserves free access for genuine open source use while asking commercial operations to fund the infrastructure they depend on at commercial scale.
What Comes Next
Fox indicated that individual ecosystems have been working through the details of their own models, with a rollout expected in the coming quarter. The early signals are that throttled organisations have been receptive once they understood the problem, suggesting that awareness, rather than resistance, has been the primary barrier.
For Australian technology businesses and software teams, the practical message is clear: audit your build pipelines, implement local caching, and avoid redundant per-commit dependency pulls. The days of treating open source repositories as a free, infinitely scalable content delivery network are coming to an end. The only real question is whether the transition to a more sustainable model happens in an orderly way, or through the kind of service degradation that forces the issue unpleasantly. Getting ahead of it now is simply sound engineering practice, and sound economics.